Secret vars are now stored in the repository in GPG-encrypted form:

https://github.com/appsembler/launcher/blob/develop/deploy/vault/github_deploy_key.yml.gpg

https://github.com/appsembler/launcher/blob/develop/deploy/vault/vagrant_secret_vars.yml.gpg

To decrypt them you need to run “decrypt.py [vagrant|staging|production]”, which will decrypt github_deploy_key.gpg and the relevant [vagrant|staging|production]_secret_vars.yaml.gpg.

Note about the encryption: it’s symmetric AES-256 with SHA-512 password hashing. AES itself should be unbreakable (assuming no flaws in GPG), but the weak link in the chain is the password. Modern GPUs can bruteforce password at astonishing speed – as per https://hashcat.net/oclhashcat/ 8xAMD R9 290X can brute-force SHA-512 at 4552 Mh/s (that’s 4,5 billion hashes per second!!!). And that’s for a one-time investment of ~$3000. 

Now, if password is 10 char long, where those characters are picked randomly from the [a..z,A..Z] set, the password space will be 52^10 possible variants. The mentioned R9 combo can search such password space in 371 days, i.e. over a year! So on average it will find such password in 6 months. And if you use 80 R9s it will take only 2,5 weeks! And there are probably hundreds or thousends of bitcoin farms with such horsepower.

Fortunately I set the maximum number of hash interations which should slow potential attackers by an order of magnitude, and also set a much stronger password, but:

• eventually we should move to a safer scheme – for instance each of us could have a key pair and we could use our public keys to encrypt the secret vars and then there would be no shared password.
• we should change keys every 3 months or so – that is a healthy practice even if you don’t store encrypted key in the repo.